NETSTAT command syntax and options. Description of the NETSTAT command (statistics of active TCP connections) Netstat description of the linux command

The release of WordPress 5.3 improves and expands the block editor introduced in WordPress 5.0 with a new block, more intuitive interaction, and improved accessibility. New features in the editor […]

After nine months of development, the FFmpeg 4.2 multimedia package is available, which includes a set of applications and a collection of libraries for operations on various multimedia formats (recording, converting and […]

New features in Linux Mint 19.2 Cinnamon

Linux Mint 19.2 is a long-term support release that will be supported until 2023. It comes with updated software and contains improvements and many new […]

Linux Mint 19.2 distribution released

Release presented Linux distribution Mint 19.2, the second update to the Linux Mint 19.x branch, based on the Ubuntu 18.04 LTS package base and supported until 2023. The distribution is fully compatible [...]

New BIND service releases are available that contain bug fixes and feature improvements. New releases can be downloaded from the downloads page on the developer's website: […]

Exim is a message transfer agent (MTA) developed at the University of Cambridge for use in Unix systems connected to the Internet. It is freely available in accordance with [...]

After almost two years of development, the release of ZFS on Linux 0.8.0 is presented, implementation file system ZFS, packaged as a module for the Linux kernel. The module has been tested with Linux kernels from 2.6.32 to […]

WordPress 5.1.1 fixes a vulnerability that allows you to take control of your site

The IETF (Internet Engineering Task Force), which develops Internet protocols and architecture, has completed an RFC for the ACME (Automatic Certificate Management Environment) protocol […]

The non-profit certification authority Let’s Encrypt, which is controlled by the community and provides certificates free of charge to everyone, summed up the results of the past year and talked about plans for 2019. […]

Came out a new version Libreoffice – Libreoffice 6.2

Netstat This is a very useful utility that some system administrators use every day, while others only use it to diagnose problems. But in any case, understanding this utility and being able to use it is very useful.

The command has only 10 parameters, of which probably the most frequently used is the parameter -a, which displays all connections and ports in use. However, even specifying parameters netstat from displays quite useful information.

Let us now consider the useful parameters of the utility netstat

Full domain name: When using the parameter -f The fully qualified domain names of connected remote hosts will be displayed. Any names will be resolved accessible ways. In the figure below you can see an example of this action:

Which process is using the open port: Using a combination of parameters -a -n -o You can track which process is using the open port. From the output of the command we find out the process identifier (PID), with which we can find the desired process in the task manager.

You can use another useful option to make the display more friendly. Parameter -b will show the name of each process, however it requires administrator rights.

Displaying the routing table: When using the parameter -r you can view the current routing table.

I most often use these 4 parameters for diagnostics Windows problems. How else do you use netstat and why?

Helpful information

Do you like to dress fashionably and beautifully? Go to an online clothing store from Korea and buy yourself items of excellent quality at an affordable price.

The Netstat command displays various network data such as network connections, routing table, interface statistics, masked connections, multicast space, etc.,

In this article, let's look at 10 practical command examples NetStat on Unix.

1. List of all ports (both listening and non-listening ports)

List all ports using Netstat -a command

# netstat -a | more Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 localhost:30037 *:* LISTEN udp 0 0 *:bootpc *:* Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 6135 /tmp/.X11-unix/X0 unix 2 [ ACC ] STREAM LISTENING 5140 /var/run/acpid.socket

List all TCP ports using netstat -at

# netstat -at Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:http 0.0.0.0:* LISTEN tcp 0 0 localhost:webcache 0.0.0..0.0 .0:* LISTEN tcp 0 0 localhost:domain 0.0.0.0:* LISTEN

Listing all UDP ports using netstat -au

# netstat -au Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State udp 0 0 andreyex..ru:50053 google-public-dn:domain ESTABLISHED

2. List of sockets that are in listening state

List only listening ports using netstat -l

# netstat -l Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:http 0.0.0.0:* LISTEN tcp 0 0 localhost:webcache 0.0.0..0.0. 0:* LISTEN tcp 0 0 localhost:domain 0.0.0.0:* LISTEN

List only TCP listening ports using netstat -lt

# netstat -lt Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:http 0.0.0.0:* LISTEN tcp 0 0 localhost:webcache 0.0.0..0.0. 0:* LISTEN tcp 0 0 localhost:domain 0.0.0.0:* LISTEN

List only listening UDP ports using netstat -lu

# netstat -lu Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State udp 0 0 site:domain 0.0.0.0:* udp 0 0 localhost:domain 0.0.0..0.0.0:*

List only UNIX listening ports using netstat -lx

# netstat -lx Active UNIX domain sockets (only servers) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 19693 tmp/core.adm.internal unix 2 [ ACC ] SEQPACKET LISTENING 8723 /run/udev/control unix 2 [ ACC ] STREAM LISTENING 12566 /var/run/dbus/system_bus_socket unix 2 [ ACC ] STREAM LISTENING 16948 /var/run/fail2ban/fail2ban.sock unix 2 [ ACC ] STREAM LISTENING 19702 tmp/core.sock

Team netstat, included in the standard UNIX network toolset, displays various network-related information, such as network connections, interface statistics, routing tables, masquerade, multicast, etc.

In this article we will look at ten practical examples of using the command netstat on Linux.

1. List of all ports (both listened and not)

List all ports: netstat -a

# netstat -a | more Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 localhost:domain *:* LISTEN udp6 0 0 fe80::20c:29ff:fe68:ntp [::]:* Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 20492 /var/run/mysqld/mysqld.sock unix 2 [ ACC ] STREAM LISTENING 23323 /var/run/php5 -fpm.sock

List all TCP ports: netstat -at

# netstat -at Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 localhost:domain *:* LISTEN tcp 0 0 *:ssh *:* LISTEN tcp 0 0 localhost:ipp *:* LISTEN tcp 0 0 *:http *:* LISTEN

List all UDP ports: netstat -au

# netstat -au Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State udp 0 0 localhost:domain *:* udp 0 0 *:bootpc *:* udp6 0 0 fe80::20c: 29ff:fe68:ntp [::]:*

2. List of sockets in LISTEN state

List all listening ports: netstat -l

# netstat -l Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 localhost:domain *:* LISTEN tcp6 0 0 [::]:ssh [::]:* LISTEN udp 0 0 192.168.128.134:ntp *:*

List TCP listening ports: netstat -lt

# netstat -lt Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 localhost:domain *:* LISTEN tcp 0 0 localhost:ipp *:* LISTEN tcp6 0 0 [::] :ssh [::]:* LISTEN

List listening UDP ports: netstat -lu

# netstat -lu Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State udp 0 0 *:bootpc *:* udp6 0 0 [::]:ntp [::]:*

List UNIX listening sockets: netstat -lx

# netstat -lx Active UNIX domain sockets (only servers) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 3141 /var/run/fail2ban/fail2ban.sock unix 2 [ ACC ] STREAM LISTENING 20492 /var/ run/mysqld/mysqld.sock unix 2 [ ACC ] STREAM LISTENING 23323 /var/run/php5-fpm.sock

3. View statistics for each protocol

Show statistics for all ports: netstat -s

# netstat -s Ip: 11150 total packets received 1 with invalid addresses 0 forwarded 0 incoming packets discarded 11149 incoming packets delivered 11635 requests sent out Icmp: 13791 ICMP messages received 12 input ICMP message failed. Tcp: 15020 active connections openings 97955 passive connection openings 135 failed connection attempts Udp: 2841 packets received 180 packets to unknown port received. .....

Show statistics for TCP ports only: netstat -st

# netstat -st

Show statistics for UDP ports only: netstat -su

# netstat -su

4. Display PID and process name in netstat output

Option netstat -p will add "PID/Program Name" to netstat output, and can be combined with any other set of options. This is very useful for debugging, to determine which program is running on a specific port.

# netstat -pt Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 org-ru-putty.vm.udf:www 52-106.plus.kerch :55723 ESTABLISHED 9486/nginx: worker tcp 0 0 org-ru-putty.vm.udf:www 52-106.plus.kerch:55757 ESTABLISHED 9486/nginx: worker

5. Name resolution in netstat output

When you don't need to resolve hostname, portname, username, use the option netstat -n to display values in digital format. The command will show IP address instead of host, port number instead of port name, UID instead of username.

This will also speed up the output since netstat will not perform unnecessary searches.

# netstat -an

To display the numerical values of only some of these items, use the following commands:

# netsat -a --numeric-ports # netsat -a --numeric-hosts # netsat -a --numeric-users

6. Netstat output continuously

Option netstat -c will output information continuously, in style top, refreshing the screen every few seconds.

# netstat -c Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 org-ru-putty.vm.udf:www 182.131.74.202:59933 FIN_WAIT2 tcp 0 0 org- ru-putty.vm.udf:www 182.131.74.202:63761 FIN_WAIT2 tcp 0 0 org-ru-putty.vm.udf:www 92-181-66-102-irk.:4585 ESTABLISHED ^C

7. Address families not supported by the system

Option netstat --verbose will show detailed output, and at the very end will display unsupported Address Families.

Netstat: no support for `AF IPX" on this system. netstat: no support for `AF AX25" on this system. netstat: no support for `AF X25" on this system. netstat: no support for `AF NETROM" on this system.

8. Kernel routing

Show kernel routing table: netstat -r

# netstat -r Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface default 192.168.128.2 0.0.0.0 UG 0 0 0 eth0 192.168.128.0 * 255.255.255.0 U 0 0 0 eth0

Note: Use netstat -rn to view the route in digital format without resolving host names.

9. Compliance of ports and processes

Find out which port is occupied by a certain program:

# netstat -ap | grep ssh (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) tcp 0 0 *:ssh *:* LISTEN - tcp6 0 0 [::] :ssh [::]:* LISTEN -

Find out which process is using a specific port:

# netstat -an | grep ":80"

10. Network interfaces

Show list of network interfaces: netstat -i

# netstat -i Kernel Interface table Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg eth0 1500 0 1911037 0 0 0 1382056 0 0 0 BMRU lo 16436 0 0 0 0 0 0 0 0 0 LRU

Show extended information about interfaces (same as ifconfig): netstat -ie

# netstat -ie Kernel Interface table eth0 Link encap:Ethernet HWaddr 00:0c:29:68:4c:a4 inet addr:192.168.128.134 Bcast:192.168.128.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff: fe68:4ca4/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:24278 errors:0 dropped:0 overruns:0 frame:0 TX packets:11275 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:33203025 (33.2 MB) TX bytes:665822 (665.8 KB) Interrupt:19 Base address:0x2000

11. netstat -lnptux

Let's summarize the above and combine the keys into one useful command that will show:

-l all open ports (LISTEN)
-t over TCP protocol
-u over UDP protocol
-x via UNIX Socket protocol
-n without resolving IP/names
-p but with process names and PIDs

Note: Not all processes can be identified by the last key; other processes will not be shown. You must have root rights to see everything.

# netstat -lnptux Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 9614/nginx tcp 0 0 0.0.0.0 :22 0.0.0.0:* LISTEN 601/sshd udp 0 0 8.8.4.4:123 0.0.0.0:* 574/ntpd udp 0 0 127.0.0.1:123 0.0.0.0:* 574/ntpd udp 0 0 0.0.0.0: 123 0.0.0.0:* 574/ntpd Active UNIX domain sockets (servers only) Proto RefCnt Flags Type State I-Node PID/Program name Path unix 2 [ ACC ] STREAM LISTENING 4233 826/python /var/run/fail2ban/fail2ban. sock unix 2 [ ACC ] STREAM LISTENING 8122 2561/mysqld /var/run/mysqld/mysqld.sock unix 2 [ ACC ] STREAM LISTENING 160413 7301/php-fpm.conf /var/run/php5-fpm.sock

January 2013, website

Please enable JavaScript

Team NETSTAT is designed to obtain information about the status of network connections and the TCP and UDP ports listening on this computer, as well as to display statistical data on network interfaces and protocols.

Format command line:

NETSTAT [-a] [-b] [-e] [-f] [-n] [-o] [-p protocol] [-r] [-s] [-t] [interval]

Command line options:

-a- Displays all connections and waiting ports.
-b- Display executable file involved in the creation of each connection, or listening port. Sometimes known executable files contain multiple independent components. Then the sequence of components involved in creating the connection or the waiting port is displayed. In this case, the name of the executable file is at the bottom in brackets, at the top is the component that it calls, and so on until TCP/IP is reached. Please note that this approach can be time consuming and requires sufficient permissions.
-e- Display Ethernet statistics. Can be used in conjunction with the -s option.
-f- Displays the Fully Qualified Domain Name (FQDN) for external addresses.
-n- Display addresses and port numbers in numeric format.
-o- Display the process code (ID) of each connection.
-p protocol- Displays the connections for the protocol specified by this parameter. Valid values are TCP, UDP, TCPv6, or UDPv6. Used in conjunction with the -s parameter to display protocol statistics. Valid values are IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6.
-r- Display the contents of the route table.
-s- Display protocol statistics. By default, statistics are displayed for the IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6 protocols. The -p option allows you to specify a subset of the output.
-t- Display of the current connection in the state of transferring the load from the processor to the network adapter during data transfer ("offload").
-v- Detailed information output, if possible.
interval- Repeated output of statistical data at a specified interval in seconds. To stop outputting data, press CTRL+C. If the parameter is not specified, information about the current configuration is displayed once.

In practice, the utility netstat.exe convenient to use in a chain with page output commands ( more), redirects standard output to file ( > ) and searching for text in the output results ( find).

netstat -a | more- display all connections in page-by-page display mode.

netstat -a -n| more- the same as in the previous example, but with port numbers and IP addresses displayed in numeric format. Unlike the previous example, the command netstat with parameter -t works much faster.

netstat -a -f | more- the same as in the previous example, but with displaying the full DNS names of the nodes participating in the connection.

netstat -a > C:\netstatall.txt- display all connections and record the results in the file C:\netstatall.txt.

netstat -a | find /I "LISTENING"- display all connections with LISTENING status, i.e. display a list of network interfaces and ports that are listening for incoming connections ("listening" ports). Key /I in a team find indicates that when searching for text, it is not necessary to take into account the case of characters.

netstat -a | find /I "listening" > C:\listening.txt- display all connections with LISTENING status and write the results to the file C:\listening.txt.

Example of information displayed:

Active connections

Name- name of the protocol.

Local address- local IP address participating in the connection or associated with the service waiting for incoming connections (listening to the port). If 0.0.0.0 is displayed as an address, then this means “any address”, i.e. all IP addresses existing on a given computer can be used in the connection. The address 127.0.0.1 is a loopback interface used as an IP protocol means for communication between processes without actually transferring data.

External address The external IP address involved in creating the connection.

State- connection status. State Listening indicates that the status bar displays information about the network service that is waiting for incoming connections using the appropriate protocol to the address and port displayed in the "Local Address" column. State ESTABLISHED indicates an active connection. In the "Status" column for connections via the TCP protocol, the current stage of the TCP session can be displayed, determined by the processing of the flag values in the TCP packet header (Syn, Ask, Fin ...). Possible states:

CLOSE_WAIT- waiting for the connection to close.
CLOSED- connection is closed.
ESTABLISHED- connection is established.
LISTENING- connection is expected (listening port)
TIME_WAIT- response time exceeded.

Name software module associated with this connection is displayed if the parameter is specified -b on the command line when running netstat.exe.

netstat -a -b- get a list of all network connections and associated programs.

TCP 192.168.0.3:3389 89.22.52.11:5779 ESTABLISHED
CryptSvc

IN in this example displays information about the connection in which software components are involved CryptSvc And svchost.exe.

netstat -ab- command line parameters can be combined. Parameter -ab equivalent -a -b

netstat -e- receive statistical data for exchange via Ethernet protocol. Displays the total values of received and received bytes for all network adapters Ethernet.

Interface Statistics

netstat -e -v- in addition to summary statistics, information about data exchange through individual network interfaces is displayed.

netstat -e -s- in addition to Ethernet statistics, statistics for IP, ICMP, TCP, UDP protocols are displayed

Interface Statistics

IPv4 Statistics

Packets received
Header errors received
Errors received in addresses
Datagrams sent

Received packets dropped

Withdrawal requests
Discarded routes
Output packets dropped

Assembly required
Successful build
Build failures

Fragments created

= 10877781
= 0
= 27307
= 0
= 0
= 448
= 11384479
= 11919871
= 0
= 1517
= 6
= 0
= 0
= 0
= 5918
= 0
= 11836

IPv6 Statistics

Packets received
Header errors received
Errors received in addresses
Datagrams sent
Unknown protocols received
Received packets dropped
Received packages delivered
Withdrawal requests
Discarded routes
Output packets dropped
Output packets without route
Assembly required
Successful build
Build failures
Datagram fragmented successfully
Datagram fragmentation failures
Fragments created